In Web development, the term “Web mashup” is often used to describe a Web application that combines content from multiple sources to provide a new and distinct service to a user. Content used in mashups is often sourced from third party Web services via an application programming interface (API) or other interface. The entities involved in executing a mashup typically include: (1) content providers, such as third-party Web service providers, that make content available; (2) a Web site (“the mashup site”) that facilitates access to a mashup that combines content obtained from the third-party Web service providers; and (3) a client Web browser that acts as a user interface to the mashup and that may actually execute the mashup using a client-side Web language such as JavaScript. Web mashups are also sometimes referred to as Web application hybrids.
It is desirable to be able to embed Web mashups in a variety of different Web pages located in a variety of different Internet domains. For example, users may wish to embed Web mashups developed by themselves or others into personal Web pages published via social networking Web sites, blogs, or other Web pages, thereby adding creativity and functionality to those Web pages. Ideally, a Web mashup should be capable of execution within the context of a Web page such that the Web mashup can directly interact with other elements on the Web page and vice versa, thereby allowing Web mashup data and functionality to be closely incorporated in the Web page.
One obstacle to embedding Web mashups in Web pages in this manner is that the retrieval of content by the mashup from third-party Web services will be hindered by a basic Web browser security model referred to as Same Origin Policy (SOP). SOP is used in most modern Web browsers that support client-side scripting. SOP operates to prevent a Web site from requesting data from any origin other than the origin from which the site was served. The term “origin” refers to a domain name, protocol and port. Two Web pages belong to the same origin if and only if these three values are the same.
This obstacle may be avoided if the third-party Web service uses either JSONP (JavaScript Object Notation with Padding) or certain application-specific policy files to serve up content. In this case, an agreement contract for cross-domain serving exists that will not violate SOP. However, many third-party Web service providers do not service Web requests in this fashion and thus another solution is required.